07-20-2003 03:42 PM - edited 02-20-2020 10:51 PM
I've been researching this problem for several days now, and have come up totally short in terms of finding a solution. I have a PIX 515 with an internal network range of 10.10.0.0/8 behind it and a single external IP I obtain via DHCP [cable]. I have the PIX inside configured as 10.10.0.1 and I have it using DHCP to obtain an IP for the external address.
Now here's the problem: I can ping the other 10.10.0.0/8 machines
from the PIX, and I can ping outside IPs from the PIX. However, I cannot
get the traffic to route from the internal network through the PIX using
PAT.
I think I am missing some route command to send all 0 0 traffic from the inside to the outside, but ??
I am still learning so any extra info would be appreciated as well.
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxx
encrypted
passwd xxxx
encrypted
hostname test
domain-name test
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_grp permit icmp any any
pager lines 24
logging on
logging buffered debugging
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.10.0.1 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
rip inside default version 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 a
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http xxx.xxx.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address 10.10.0.10-10.10.0.50 inside
dhcpd lease 3000
dhcpd ping_timeout 750
dhcpd domain rw.com
dhcpd enable inside
terminal width 80
Cryptochecksum:
: end
07-21-2003 07:47 AM
Hi,
the default route is set by the 'setroute' parameter of the 'ip address' command. So that ok.
That nat/global statement also seem ok. Every packets that goes out is hidden by the outside interface address.
You are trying to mix conduits and access-lists. This may cause the problems. Remove the conduit command for the icmp and use only the access-list command. Make sure to bind the access-list to the outside interface:
no conduit permit icmp any any
access-list acl_grp permit icmp any any
access-group acl-grp in interface outside
These lines allow all inbound icmp traffic from the outside to the inside. May be you should narrow it down to only icmp echo replies packets.
Kind Regards,
Tom
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide